Fighting Cyber-Threats via Coordinated Sector Resilience
Jason Harrell is the executive director and head of business and government cybersecurity partnerships at DTCC.
As cyber threats that target the financial services industry grow and evolve, market participants and operators face increasing pressure to defend their systems against these threats. At the same time, the benefits of new technology and increased outsourcing are enabling firms to extend financial services to billions of excluded or underserved individuals, enhance the customer experience, promote financial inclusion, and extend the cyber defense abilities of market participants and operators.
Today, the global financial markets are highly connected through technology and automation. The delivery of financial products and services to the marketplace has become a web of firms, intermediaries, suppliers, and consumers. Because of this ecosystem, a cyber-attack could function as a virus. Just as a virus spreads to anything with which it comes into contact, the impact of a cyber-attack may cross firms, regulatory jurisdictions, and national boundaries, creating shocks across markets. Therefore, it is critical that as an industry, we fully understand how the risk of a material cyber-attack could impact risk, both in terms of risk transmission and potential loss of access to financial services – as well as the overall health of the financial markets.
One antidote for managing the potentially viral impact of a cyber-attack is financial sector (Sector) resilience. Resilience is the practices and disciplines that enable firms to provide products and services to the marketplace in the face of disruptive events, regardless of the nature or origin of such events by anticipating, preventing, recovering from or adapting to such incidents. No single firm, financial market utility, supervisor, regulator or standards-setting body alone can achieve Sector resilience. It can only be accomplished through close collaboration, at a global level, across interdependent entities. While firms should continue to focus on and prioritize their own cybersecurity efforts, they must also maintain a view on how these activities may impact the Sector.
The Need For Sector Resilience
The continued maturation and interconnectedness of the Sector are increasing the surface area and points of entry for malicious cyber-attacks. Given the complexity of financial products and services as well as the interconnectedness of the market participants and operators that provide these services, the impact of a cyber-attack or other material operational event could erode consumer trust in the financial system. Because of this, central banks, supervisors, and regulators also play important roles in ensuring cyber resilience in the financial system.
Market participants and operators, central banks, supervisors, regulators, and standard-setting bodies must each understand their role in the development of Sector resilience. Essential to achieving this goal is the ability of these entities to work together to promote resilience by developing best practices for new technology, information sharing at a national and global level, identifying opportunities to appropriately leverage new technology and third-party services, globally coordinating new supervisory rules and guidance, and practicing resilience strategies across each market segment.
Resolutions and Solutions
At DTCC, we engage with the industry in many ways, but we believe there are three primary initiatives that may have the largest impact on the industry around preparedness and resilience efforts.
First regulatory fragmentation continues to challenge the industry as firms attempt to adhere to a mix of cybersecurity frameworks, prescriptive and principles-based regulation, and sometimes differing requirements. The Financial Services Sector Coordinating Council (FSSCC), a financial trade association that consists of financial firms and utilities that work on policy issues concerning sector resilience, developed the Cybersecurity Profile (Profile). The Profile is a toolset built on the NIST Cybersecurity Framework that allows firms to demonstrate their adherence to supervisory rules and guidance through a set of diagnostic statements based on a firm’s potential impact on sector resilience. It also provides several benefits to the supervisory community by providing a means to measure the cyber preparedness of similar firms and identify potential control gaps across those same firms. DTCC partnered with FSSCC members to develop the Profile and is currently working with the FSSCC to globally expand its use.
Second, the Financial Stability Board (FSB), an international body that seeks to strengthen financial systems and increase the stability of international financial markets, put together a working group to support and provide guidance to firms on their resilience efforts. This effort began with the development of a Cybersecurity Lexicon, a tool to standardize the terminology used to discuss cyber topics. The FSB is continuing its efforts in this area through the Cyber Incident Response and Recovery (CIRR) working group, where the industry will work together to develop a toolkit of effective practices in managing cyber incidents.
Finally, the Financial Systemic Analysis and Resilience Center (FSARC), an industry association designed to increase the resilience of the US financial services sector, facilitates operational collaboration between participating financial institutions and market utilities, the US government and other key partners. DTCC, as part of its external cyber engagement, actively participates in several working groups designed to identify sector risks, identify potential warnings or indicators of an imminent cyber-attack, and decrease the operational friction that may occur between financial institutions, financial market utilities, and government agencies during a material operational event.
The Way Forward
Individual firms should remain appropriately focused on bolstering their own cybersecurity plans. However, it is essential that financial institutions take collaborative action for the benefit of their peers and the broader industry. We operate in a true ecosystem where each entity is a vital contributor to the resilience of the whole. If one firm is negatively impacted, others are immediately at risk because of the connections among the group. With a collaborative and coordinated plan in place which incorporates information sharing, industry resilience initiatives, and simulations, we can continue to bolster the Sector’s capabilities while improving our individual ability to recover from disruptions.
There is also a material increase in concern over cyber-risk.
Managers should continue to modernize legal and compliance.
The standard check-list mentality is not as secure as one would think.
Recovery is impacted by differences in the way data is stored across the financial sector.
Unauthorised parties breached the Banks’ Integrated Reporting Dictionary website.